341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 02:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7.exe
Size

96KB
MD5

ec4029e1b9222692eeb2c95af628bfa0
SHA1

673844849830a4b05df6938fcff0523d36fc600a
SHA256

341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7
SHA512

1d4bb49495172161806d3deb1790c204d1c319abb5ce90fc631cd0be069848ff03ac9e0a7165ad3eb92da7e7b21d0ab32a9a5ba2e81c32b8357031df34d97856
SSDEEP

1536:qGKqZ22qoaZH4c2miuOAnrvW5UDYkGw2to74S7V+5pUMv84WMRw8Dkqq:z1Y4c2BufnrvWgiA4Sp+7H7wWkqq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe

Executes dropped EXE 64 IoCs

pid	Process
3444	Gjjjle32.exe
1104	Gcbnejem.exe
400	Gfqjafdq.exe
8	Gqfooodg.exe
3688	Gbgkfg32.exe
2992	Giacca32.exe
4332	Gpklpkio.exe
540	Gfedle32.exe
2068	Gqkhjn32.exe
2804	Gcidfi32.exe
1552	Gifmnpnl.exe
4576	Gameonno.exe
888	Hfjmgdlf.exe
4936	Hihicplj.exe
1756	Hcnnaikp.exe
4272	Hfljmdjc.exe
5044	Hmfbjnbp.exe
3668	Hcqjfh32.exe
2408	Himcoo32.exe
4656	Hpgkkioa.exe
3504	Hfachc32.exe
1136	Hmklen32.exe
4968	Hcedaheh.exe
4108	Hjolnb32.exe
3184	Hmmhjm32.exe
2044	Ipldfi32.exe
3076	Impepm32.exe
3180	Icjmmg32.exe
440	Iiffen32.exe
1572	Iannfk32.exe
1476	Ibojncfj.exe
4568	Iiibkn32.exe
1556	Iapjlk32.exe
1968	Ibagcc32.exe
1488	Imgkql32.exe
3652	Idacmfkj.exe
2176	Ifopiajn.exe
3392	Imihfl32.exe
816	Jdcpcf32.exe
1392	Jbfpobpb.exe
4596	Jiphkm32.exe
756	Jagqlj32.exe
1748	Jdemhe32.exe
3048	Jfdida32.exe
3908	Jmnaakne.exe
4672	Jaimbj32.exe
2748	Jbkjjblm.exe
3720	Jjbako32.exe
2656	Jmpngk32.exe
3888	Jdjfcecp.exe
3128	Jfhbppbc.exe
4068	Jigollag.exe
2972	Jangmibi.exe
3552	Jbocea32.exe
4356	Jiikak32.exe
1808	Kpccnefa.exe
2020	Kbapjafe.exe
3344	Kkihknfg.exe
3632	Kmgdgjek.exe
3588	Kdaldd32.exe
2280	Kgphpo32.exe
4388	Kmjqmi32.exe
4444	Kphmie32.exe
3604	Kgbefoji.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Gameonno.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5856	5696	WerFault.exe	209

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbbnj32.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcbnejem.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3444	2904	341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7.exe	82
PID 2904 wrote to memory of 3444	2904	341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7.exe	82
PID 2904 wrote to memory of 3444	2904	341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7.exe	82
PID 3444 wrote to memory of 1104	3444	Gjjjle32.exe	83
PID 3444 wrote to memory of 1104	3444	Gjjjle32.exe	83
PID 3444 wrote to memory of 1104	3444	Gjjjle32.exe	83
PID 1104 wrote to memory of 400	1104	Gcbnejem.exe	84
PID 1104 wrote to memory of 400	1104	Gcbnejem.exe	84
PID 1104 wrote to memory of 400	1104	Gcbnejem.exe	84
PID 400 wrote to memory of 8	400	Gfqjafdq.exe	85
PID 400 wrote to memory of 8	400	Gfqjafdq.exe	85
PID 400 wrote to memory of 8	400	Gfqjafdq.exe	85
PID 8 wrote to memory of 3688	8	Gqfooodg.exe	86
PID 8 wrote to memory of 3688	8	Gqfooodg.exe	86
PID 8 wrote to memory of 3688	8	Gqfooodg.exe	86
PID 3688 wrote to memory of 2992	3688	Gbgkfg32.exe	87
PID 3688 wrote to memory of 2992	3688	Gbgkfg32.exe	87
PID 3688 wrote to memory of 2992	3688	Gbgkfg32.exe	87
PID 2992 wrote to memory of 4332	2992	Giacca32.exe	88
PID 2992 wrote to memory of 4332	2992	Giacca32.exe	88
PID 2992 wrote to memory of 4332	2992	Giacca32.exe	88
PID 4332 wrote to memory of 540	4332	Gpklpkio.exe	89
PID 4332 wrote to memory of 540	4332	Gpklpkio.exe	89
PID 4332 wrote to memory of 540	4332	Gpklpkio.exe	89
PID 540 wrote to memory of 2068	540	Gfedle32.exe	90
PID 540 wrote to memory of 2068	540	Gfedle32.exe	90
PID 540 wrote to memory of 2068	540	Gfedle32.exe	90
PID 2068 wrote to memory of 2804	2068	Gqkhjn32.exe	91
PID 2068 wrote to memory of 2804	2068	Gqkhjn32.exe	91
PID 2068 wrote to memory of 2804	2068	Gqkhjn32.exe	91
PID 2804 wrote to memory of 1552	2804	Gcidfi32.exe	92
PID 2804 wrote to memory of 1552	2804	Gcidfi32.exe	92
PID 2804 wrote to memory of 1552	2804	Gcidfi32.exe	92
PID 1552 wrote to memory of 4576	1552	Gifmnpnl.exe	93
PID 1552 wrote to memory of 4576	1552	Gifmnpnl.exe	93
PID 1552 wrote to memory of 4576	1552	Gifmnpnl.exe	93
PID 4576 wrote to memory of 888	4576	Gameonno.exe	94
PID 4576 wrote to memory of 888	4576	Gameonno.exe	94
PID 4576 wrote to memory of 888	4576	Gameonno.exe	94
PID 888 wrote to memory of 4936	888	Hfjmgdlf.exe	96
PID 888 wrote to memory of 4936	888	Hfjmgdlf.exe	96
PID 888 wrote to memory of 4936	888	Hfjmgdlf.exe	96
PID 4936 wrote to memory of 1756	4936	Hihicplj.exe	97
PID 4936 wrote to memory of 1756	4936	Hihicplj.exe	97
PID 4936 wrote to memory of 1756	4936	Hihicplj.exe	97
PID 1756 wrote to memory of 4272	1756	Hcnnaikp.exe	98
PID 1756 wrote to memory of 4272	1756	Hcnnaikp.exe	98
PID 1756 wrote to memory of 4272	1756	Hcnnaikp.exe	98
PID 4272 wrote to memory of 5044	4272	Hfljmdjc.exe	99
PID 4272 wrote to memory of 5044	4272	Hfljmdjc.exe	99
PID 4272 wrote to memory of 5044	4272	Hfljmdjc.exe	99
PID 5044 wrote to memory of 3668	5044	Hmfbjnbp.exe	100
PID 5044 wrote to memory of 3668	5044	Hmfbjnbp.exe	100
PID 5044 wrote to memory of 3668	5044	Hmfbjnbp.exe	100
PID 3668 wrote to memory of 2408	3668	Hcqjfh32.exe	101
PID 3668 wrote to memory of 2408	3668	Hcqjfh32.exe	101
PID 3668 wrote to memory of 2408	3668	Hcqjfh32.exe	101
PID 2408 wrote to memory of 4656	2408	Himcoo32.exe	103
PID 2408 wrote to memory of 4656	2408	Himcoo32.exe	103
PID 2408 wrote to memory of 4656	2408	Himcoo32.exe	103
PID 4656 wrote to memory of 3504	4656	Hpgkkioa.exe	104
PID 4656 wrote to memory of 3504	4656	Hpgkkioa.exe	104
PID 4656 wrote to memory of 3504	4656	Hpgkkioa.exe	104
PID 3504 wrote to memory of 1136	3504	Hfachc32.exe	105

C:\Users\Admin\AppData\Local\Temp\341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7.exe
"C:\Users\Admin\AppData\Local\Temp\341a9cc954c214fb07180908b6144cd767bb89de082f86058d26a098e0dfb5b7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\Gjjjle32.exe
  C:\Windows\system32\Gjjjle32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\SysWOW64\Gcbnejem.exe
    C:\Windows\system32\Gcbnejem.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\Gfqjafdq.exe
      C:\Windows\system32\Gfqjafdq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        23⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        24⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        38⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        41⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        44⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        45⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        46⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        49⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        50⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        61⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        64⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        68⤵
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3952
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        70⤵
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        72⤵
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        74⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        75⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        76⤵
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        78⤵
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1888
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2500
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        84⤵
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        85⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3116
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        87⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1952
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:784
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        96⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        106⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        109⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        110⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        115⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        118⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        119⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        120⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        122⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        123⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        124⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 420
        125⤵
        Program crash
        
        PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5696 -ip 5696
1⤵
PID:5820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
96KB

MD5
c8b1d7431b95f42b8dcf93ce5eee41e8

SHA1
804f831d6b60889d62942e20e10b7b852c20d3cb

SHA256
4af83ff90a7094a8347c42b4268776ef4d5b6743f463a73bcf250c6bc302995c

SHA512
5686a39d230b4e39119311e2049958c1bb13e90b87bc32163650abfa7ac871708066f61ebef54493e8e7d2ced22bc564519d8de6122aac58a6ab2dee232f319f

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
96KB

MD5
35fc25496a07808ec02cc9193a502dc4

SHA1
3828f17d1d712bf0c7c8f996b3693d7e1969d0b7

SHA256
659a2183e09fb422f262b7ab6893cdc8bbaade9038e54340b8212504214fa432

SHA512
623596ba380823d801499dddbeee04a932e3dc21378c184ccc659531a7f00d30a477f661a15d5433c63618cf216b157d67ec88d1ecdaa2cf3b38c6e5b66071bc

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
96KB

MD5
9cf71d0e7e196b08e3c4c6ea65cfc22f

SHA1
100ed674f1b4d493ca52eaa6934d8db3675e23c9

SHA256
fbe8ccbb65ea30537252181f84e77d393ba6910521d2573a629b1300da9209bf

SHA512
7705f7a86d747590dcd04297a091a627e2dae456fcd1abe108ef34116d70a72ce649881f1fd2fa8c73c4e2ba6dfce852d0d652fdb7ec9a4ff5dacc01e4d7d1ce

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
96KB

MD5
08283c5e81aee7cd1ed632fad0144214

SHA1
9c9c28c819ab62b083048922194721fef1cf92e6

SHA256
25eafaba03c7e5260c48ddb35a1127d3852eaa7576a044ef385d907553cc4bfc

SHA512
eb9322eceb4d7d6d1d552cb33f63d670584fb493ea963034001611c678a77d8c7c56455ee4cb115d8e4be07666b96f50b01eea0adc081d9c91dfdef9c5475abd

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
96KB

MD5
acdc2f13740da2fc2b07bb137c785fe7

SHA1
db72b1cdc7d027d9dfa522c052a3f7fba51daf61

SHA256
e3dc9e52ce7e834dff726004ccac9419f60eeb6eecd00b79255ff2cbe832d1c5

SHA512
c99e6a869227c125a8b5f18c937bce32b14cec181d9bde0038983ed932fc71344c5cbfc70ff0f4e76a3c85052de7f9f2a4e2243ffa977bfb2fd0ee2342110599

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
96KB

MD5
12376b44ba297aba2ad8aadc8557342d

SHA1
c5155b74804afcf7f873c81ff24e91d212569a83

SHA256
c390f653aebe550dc8e6838fb488bdde5eb6daaa3a572c0396eb5ab6428d72ce

SHA512
5247bff4041e9cea991a96f840496089e11c1f203b727967989e3491102bb373d8df56e9d1a9de636938ccfc27d1485b5b1088b69bf6fca51add73295fade933

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
96KB

MD5
97f63512ab9c2ab0fcce36810ed5b9fb

SHA1
a9c6c7cb54aadcce89bca2589bcd8e2cc7078426

SHA256
265ec5155eb6dcc2423b4aedc4dce0d3970e4726d43f7d678026418d914b4694

SHA512
cc9fe7a7330db49fd72456bdb5fb4c86ffe53bc37331fae8483362bdba7cd70c0b01bdbf072e303845949724be6233f806d98147e5c33599e0ae9e6007af6322

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
96KB

MD5
6f1542d132042ff4d4dd853c3519190b

SHA1
1ce75b1465f285f27e5d2dae6692070d8eccbe45

SHA256
a1f4386e9696b02c01502ea08d2a35014a1411a0adfeac762fd1db8c61091411

SHA512
b4211e63e453f80add525d21f0e04de0b674607f6ec95e02f1b5ee8824830589dd25871f28637fb3699e21285650993a2dce202fb389661b24bbf6903020cedc

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
96KB

MD5
8ad58d7c3e7498fdcbfb3f547c88b092

SHA1
f851df5862123f6b6321b89eba5b26aa217b9916

SHA256
1949b6bf6b18a6c3d1aa205b5a0a221cf336cec9f2692731bc9b67993aed75e3

SHA512
0ebfad785b84802175ee161f0f325312af15b21d25ba04302fe036fb8934138258b6945ae542d299379aa21f73f951bcfdf6e5ed37cf910adfcb44edc1d05d05

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
96KB

MD5
2285a1795cffd8b01313d80b651dcd04

SHA1
5a88a28bc2a85fda743a3fda886c279bf656fc2c

SHA256
ef7243ad3a2c84a820f50d4436efe1ebac7933ee1cd33d4ee542b87e78edc071

SHA512
fbac2b8fea38186065228fcd2f278b5083d0f0beefeac1d177c408950026dfb3018a76f7696ca9c4a3a3b49c2cdfb5c91ee26d644adb2eb46f1cb6e76eecf4ea

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
96KB

MD5
e97271c362e8b26e4e78a35d99f615c0

SHA1
b08e47a610730c1dc5ef97dc64a6226a00a69476

SHA256
28fd621879983269756b133433a7f2ff4cc87e9fafa08e66992524d15804d4d4

SHA512
4678b844c924cdd1263a34244b07712c63c91c835d062af7003694fa04b5f7034e961f663f292b226af11e10c2658a7ff950f657af0cd2e86190c05bc300d679

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
96KB

MD5
f9ff735e35f53b9e1f69404a800fdb90

SHA1
22ea79c13f5317c3f0dc5a3fdd2756760fb8ab3b

SHA256
f8c0aa1054df6a89a4aa583a926129b85752a4423a75aa94135905e6cbfff799

SHA512
f056fb74bb45451bc174df2db3ef884eb0406e659ff10a7f9f1063737d27dc76a09fb9b9c21851206aced88f047ca8b7799b43111185e1c59b390f041938c597

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
96KB

MD5
8614831ee0a4c247ce5e0767f033444f

SHA1
abae2396e4451520cd266d7f4a3c1f8372f9dc07

SHA256
dac4fe7ead356b90a24184afb6a4175bf199247a47a796637ff188864021ca64

SHA512
b8dfdd633607966d0d99d740208965f58c3a7d96d31358a797b17bc79784b08b196df12f1e35be1acb49aeb654acd709fa32b358ad679eaddcc8ceab9a04a85b

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
96KB

MD5
cbda37219668957341b3728bf233852c

SHA1
c9f6eda2dfbaffa6dff4529231b940c3ebf02352

SHA256
2630f7fd9625fb3d72308cfffe3843c54763e74e8ab6c815a07b92153aa4fd83

SHA512
ebbc7c3f0b266818ca737aa3ae843a7568ea222fab75007bc557793a1569ea762a0fd206d4f14c02bd0dc4c77d489c23a6bde919768573b0135fc32004bae0f6

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
96KB

MD5
a1ff191cd05aad06520ad35f04a756c8

SHA1
92da676440e97017b27d976248eefb07748ccafe

SHA256
6f2a0cb74aa178b0a39ec427f397160fda7209f400878cb4caf661a557bde136

SHA512
432e09fd9bb818c1a6d2f7f3f6c05f98d8ac4b229668bbed7d5a25d333ccb6830f911862004d382f9d38a5cee4491c41549fc20896167c1682763dcb6080663a

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
96KB

MD5
3025e270dc33410aa35f24273d83e23d

SHA1
cbe1638189fdc6cd784b9b347e19cfd96ed4b063

SHA256
fead13c9d07f0a2e42a849ec13fc979dc95022b6526e81a52b434a3d3359b6fd

SHA512
f13df6493259f621072b25aa9857e8c0879a5894a67f53cb4a626ef516cabb411e2385d731d98f37418d710417ac5740c2560eab6a61c4d6b2434324154e4697

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
96KB

MD5
b7b79d9fe7752a25f8a3df61f6c1b63d

SHA1
b31325f588942f13e208c4a31741cc3ec779ce44

SHA256
2a3aab5fb4da62447ee4425110e8717755fd43bcd107e0e420ff5284b517e5d7

SHA512
9442f252140b3be38dd13df09a225fec5b30295f01c03874713b1d8ba328a78d36b62a3f296b9f4cbabd021df71f81e27e4dc24a94a4bb2b395f63b941f2007e

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
96KB

MD5
75b2fa94a47ed83d360dbc72fce08f2d

SHA1
9d48e1e4ffa318ad675316d51f260503ef4165ce

SHA256
dcde2791f340d23b53c5e18d8fe0ef9e16426e11bae6135a9d30f96dfc1dc9c1

SHA512
399d497466cd7736dbc89358babd229621a8189f4242aa6f70d3de484daa7f2c77cdee84ec9443b1a1cc760555efde19a3d4a3d073b940fe7826c8c32d771809

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
96KB

MD5
e52e1f533cc6da233aef7fc7175aee4f

SHA1
d041c02eb033fb948822aecc761fc272533035b8

SHA256
420a458a3423849b39533f22de4b1a8d8a3c803e8ba056fbdfce94f7389b9100

SHA512
91b40ebf0fc58538b24484f3edd54be360e1593f0a05380cdc0626bc1385829bf8a9b9ea582ea0bdd3ef411acc736d2b1461a33d172aae559c3f96ff4b7537c7

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
96KB

MD5
30a86b627c09f470e227a95ae998a15c

SHA1
565fe7bdc2602fc883354bf10486d5e5c99d3669

SHA256
ea1c9dd9487da9a7ebb1cf91fff441bd6355cfd5d8574e89361df49e2994337d

SHA512
0542dbd292946ee9a557287b2d4a2ffc40b1b872170884c957a2ca8c00309a58a3cf77d901e018219e085f3b0475a5367a3667814fa23b33531de561686d9a3b

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
96KB

MD5
3132fcbcb83641dd951ae7fea4c965ec

SHA1
c96dd85a65eb1091926e0a9172a3ff13c97c3307

SHA256
0e8cfc64ed516ada21db093293d7621e3192dc7c2ac78d2251cd64a06c192f2f

SHA512
06b37d558edf53e59f16e2664d4dc7c06c429cd2c56b9cb2a7e9ffcbdd6bc6bf962f496faae0ca18ab89a6b2fdf4e22efb36b6dd300323b9b8efd973f1c3dfee

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
96KB

MD5
29dd74e3e9551fd2cc64f174d37af8bc

SHA1
185d9549803c4af519aa0c27efb3c4ed1766b287

SHA256
c695d47c1a95b0b36cae520fcbee5d43301924f6868ec60c4d606319c872f21d

SHA512
31dc669f910e7f63aa4f717cfa3b53eecc0da565a57a4ee9783572449a6534c2f8dbffea99521ad8a1d7bd6bc7cd6ae3d08f9cedde805ab6adc7b3a1ce01f627

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
96KB

MD5
744265987ceca93cf8aa258b14f0804f

SHA1
c532d8e33453a9db0d4fd67d73978952d82d8c30

SHA256
df5b8db0dd02f625ed32e1848256b0e5fa64566f91149acaeeeef1c2462d433e

SHA512
cef656bb182bf93646a9383ae99f78e6d9158a8a92f8f6607f343462179b868fa919c9b2a820671afa174006b66685c2b671c8d1b67b23243797e0d70dbe50a5

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
96KB

MD5
8ea7f9b6afcd42eb568e296a4c3a58ac

SHA1
0ef96b3c6dd1771555a4e124e6e1d7f63a585778

SHA256
ed6056011885209809fef0b20d1630102b6e6234276eac8cb5d4e3cb06ca1d2a

SHA512
f8e2e1929ae9d30f09ddc9b260868df8c8cda559729521053931b937d99989ec2645382af6a74ab5e85644e270333b362d84bd7468635fde9bc55b70ca09f7c4

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
96KB

MD5
fbe4c552c4bff1c4c8f26e8f23187174

SHA1
f6c3697932fbeac4dab67a9c04fada907eb0793c

SHA256
7ad5fc8642dba0a2b93600981513a95340d80847a63889ec13466a538f15544e

SHA512
687822218bbdebbb314f0db5bdf28614d28e0ec5f02bd3236aaad529e12d6de21365ab4281f5f125cb5c30e0922232da5b9a04c654f776af3379b86435c47975

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
96KB

MD5
83d6d23e1a9fed848f003a49c720ec43

SHA1
2af5686b673801e9c3a798fa81f22aca22e5a052

SHA256
33e25c1e1d0f86cb3078a8d32cd093e96a833db54215039fcef8df3b6e224584

SHA512
16957bb45454f2689707ae7bf7920ea6c722e356f9a2562e3823b2b86883e9e71b3b67e46d51b7bebbf52d01cc9ae45db960a39a717b672d54ad2b3d8dd5469b

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
96KB

MD5
2505750ec17efe7d6472aaa0f2918465

SHA1
4bdedc69e365a3f377769103dfe16e865b2f6cf5

SHA256
6bd4e473f3ae6a2c39373853c444ee1192a0f7e96bf97202102b3de6178f3979

SHA512
ca02e25e39d7e77556015f272f3f37e470c2e104a07180969bba8e5dee9ddd50e7800e0bed34c1ef4e9fb17b10aa5fb832da0bad80e0779e0ab619107470fc22

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
96KB

MD5
4a88e95ef671da1689e9e319fbbe4ded

SHA1
2f06bff9824b08045f029ae08f9d736c2921098d

SHA256
0aaeb31a7cb96e32e94e2392d8e09166c228b1b50dec2a0a0f2e4cacbaf3737a

SHA512
d5c8b7e74fa1403929ddc10a6e1fe38c8416dfa95e33abbcd04545850e6fc3b7d549fb1349981b146f264043b485ac0dda4ab39e0e67c610d27456f3a7f4e5d3

Download Submit
C:\Windows\SysWOW64\Iebapp32.dll

Filesize
7KB

MD5
cbd05816e5797f9179595168e470bd78

SHA1
c22dd4804e743d780ba18ab1d0dc462e28a58644

SHA256
77929853cd1d72e22005bdee519cdb74dfb21d5c1223789381ac5dccdec8bcf1

SHA512
991537f873bdfeb1b863f4206484ec10241f61830fa68f20f35d95c684de968ac569e91c3efc598c84bf77ee148da842d11d21f30fa35b3d0a41e14d90a20d40

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
96KB

MD5
df5ff9428787b04a2975fce2f2bec63b

SHA1
9fbac98686f2161a89f509dcf4aa8cbfe9b1787f

SHA256
4a9b69e999a5cafa3b6de771411dbedb7024b1eed29a9c68b4aee4a34c7c0b26

SHA512
341f22d9e27b97530d78de2c627e851003738348d9842490f5db9e33cb09edcec5312e6300cb9aed39acf2545ad2686aabc178e8299076af17835628d90bae4e

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
96KB

MD5
4cdd215e523d6871ecd2012a1ff6771a

SHA1
e2df42af866befa4f98ab0f5cba3d32ab52c583f

SHA256
5f358b899d128ec9a7a276a0c99d76a4c8e0b368b270308d37eaa7eecfb34123

SHA512
43fde5b499899944dfa5f5a9b752bf58fea5c83282d369b7e1af4ea6c696de4e94a7b99b8eb9c365142e9e4743fa1ea265080870afc6bacbd824717fa65570e4

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
96KB

MD5
0fbf41359b2242b3610e7d5a5f4f9a57

SHA1
7bec532c5cfc945ab6e6191334d2bc0ed9a85e7d

SHA256
9fe1c52f3b09a59e505ea424a56108182f5ef60796d7e34c026797e647096cad

SHA512
9358575e6da0c1231fd2560ec1b0ea95d2a4ac56a8c03fa9b415918970440160e26cf739ef1f45abab27bf7b2d56c0339730ba9501089968506d6f6fc3b0d116

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
96KB

MD5
ccb5eceaeeeb9a92b927a1dad3d077d6

SHA1
3c84d2080ecead85b62467b68d3324d56f935289

SHA256
654c44cb7be27fd1a159a44114396665b4f5b603fcbb0e682bf661e671530f13

SHA512
65fa80aa506f07b6b20efbacb67392e32ebca29b65d02752b50cb3fe8ff2040e0476ade1f5cfc2f9032131fc9de755d9579c35f8b8f7b14be9bc657d35e3b9cf

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
96KB

MD5
41a85f5f4731b2db0cc1134961667cf7

SHA1
95b43375b93deab98b7051e08202f7c0c1bf2029

SHA256
144315422de5562255020366115495fe4ddc2730b728074d310b17bbda05d896

SHA512
aaae5322dc111c2a87b7cefe8eb89c9c9d8f53ca1c0aafc62b007bf98c5a20e4a1b0be734fc125e45d41e15e8eb30e97b9c738eaa4064dc14bc693e182af5704

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
96KB

MD5
50c36b09f6de13d41000884e87bf1ad0

SHA1
dfd591472f6ea0458dcf3205c90ef8fb0ed28bd7

SHA256
0c5b3023c60341960241faf89bd56d370f3a8d106aa2b5c30949bcd68f427b10

SHA512
dd3dd35f8b2eb8a945ea8e00f5e4b536f8c5496011285d3a46807ee0f0cdf0790a0382b1cb92304d349c552a79242723695b9d971c0be8ec58335d77e8dd6a37

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
96KB

MD5
9c59ea74993b886154cf94c7630becb5

SHA1
0e4c72d47cbecb44aeb55098ffd317000a4e6906

SHA256
ad70c20db8871f2abe6a71066d4b2b6041a925602b5af37ed52a93aef81f1d4e

SHA512
f959a6dbdd84265fff68098b525f2856a4eb7d5d4856886a2a9c08fe90a9545168f1bab5677f0b65a3953991bf4f93ae0b7c2fd8b7b22d2ea6df181553fbb5c7

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
96KB

MD5
01d82a51ad9d55bdb233db2d1876c9d2

SHA1
ec4587c1600ccfd9b6e464e772c6505fad11d830

SHA256
82c1276b1f6ac254784a31bdfdd887f44fd5316f1510b6278502cfd9cfd80051

SHA512
adb74c1a5298b95c3413db9131a3718fb3112b8e3fcc83a35b284b290ed15cec3f3be00ab4549f2fc28ddcc53fd083c023aaa3aa00fc05d5486ce3d9ea7e5201

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
96KB

MD5
7813eea5c3c34e34618ba66ed3cabb69

SHA1
88577273ed8014997201144cba5e8b87dc106cf9

SHA256
a631673ef1e8364e96671a54dc65f610e001eed99b73ce433c30ec0289d69cd7

SHA512
7a61311c4a27ce2b12a0430e947b572ac37cb2b22ac6151e3cf62d44b266b029e2b492357dc48c94d6feaf0370328acfa78344b4eca30b25c993b615641c43ae

Download Submit
memory/8-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/8-571-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/400-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/400-564-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/440-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/540-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/540-598-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/756-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/816-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/888-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1104-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1132-507-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1136-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-592-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1392-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1476-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1488-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1556-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1572-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1696-585-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1756-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1808-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-547-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1948-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1952-603-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2020-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2044-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2068-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2280-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2408-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2500-556-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-563-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-518-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2748-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-584-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-569-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3076-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3116-582-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3128-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3180-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3184-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3344-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3392-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3444-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3444-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3504-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-428-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3604-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3656-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3668-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3688-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3720-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3888-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3908-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3936-530-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3952-476-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-482-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4068-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4108-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4272-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-591-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4356-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4388-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4444-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4656-164-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4688-499-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4936-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5044-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-542-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads